Crown Resorts Joins Growing List of GoAnywhere Cyberattack Victims

0
Written by staff writer.

A large data breach at third-party file transfer software company GoAnywhere earlier this year is having ramifications for several large Australian entities, with Crown Resorts confirming on March 27 that it had received a ransomware demand from Russian cybercriminals.

“We were recently contacted by a ransomware group who claim they have illegally obtained a limited number of Crown files,” a Crown spokesperson said. “We are investigating the validity of this claim as a matter of priority. We can confirm no customer data has been compromised, and our business operations have not been impacted.”

Ransomware gang Cl0p has claimed responsibility for the January 2023 attack on Fortra’s GoAnywhere managed file transfer tool that has compromised data from a growing list of entities, including employee data from Rio Tinto and accounting data from the University of Melbourne. C10p has methodically begun releasing stolen data from several non-Australian entities on the dark web to encourage the payment of ransoms.

The exact date of the attack is unknown, but the incident was reported on February 2 by Krebs on Security. Fortra reportedly became aware of the breach on January 30 and issued a client advisory the following day. They secured the vulnerability (CVE-2023-0669) within five days, but it was already too late.

It wasn’t until March 24 that Cl0p began posting details about Crown Resorts on the dark web. The Melbourne-based gaming company was one of 100 entities Cl0p have issued ransomware demands to in March that stem from the GoAnywhere attack.

Cl0p, also known as TA505 and FIN11, is an established ransomware gang with a track record spanning several years, previously targeting Shell, Qualys, the Reserve Bank of New Zealand, Stanford University and the UK Police National Computer Database, among others. Authorities arrested six members in late 2021. However, within half a year, the group was getting back to business. Reports suggest C10p has extracted USD500 million from entities in the last five years.

Rio Tinto has confirmed that January 2023 payroll information relating to a “small number of employees” had been stolen in the GoAnywhere attack. “To date, none of the records have been released, and we still do not know if the cybercriminal group holds these records or not,” a spokesperson said.

It is now known that C10p stole data from around 130 entities worldwide in the GoAnywhere breach. Forta reportedly told its clients that their data was secure. Further, some clients were hit with ransomware demands after the software company had issued its assurances, and in some cases, the first clients knew of the attack when the ransomware demand arrived. Forta’s website, including its news pages, does not mention the breach.

Crown Resorts has not said whether it was aware of the breach before Cl0p contacted it, only saying it was working with law enforcement agencies and has informed the gaming regulator. Victoria Police have confirmed that an investigation is underway.

Meanwhile, overnight, the European multinational information technology service and consulting company ATOS also confirmed that it lost data in the GoAnywhere breach.

Share.